and their free tool:
http://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4
f87-88a6-e7c663444ac1&displaylang=en

As for OCTAVE, yes, we work with it a lot at my workplace.

I for one am not a fan of targeting and prioritization in this fashion
due to the experience that it simply doesn't work. A number of the
biggest holes I've found have been ones that would have been missed
following a model like OCTAVE. (referring to general pen testing here.)